This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tvb_composite problem

0

Hello,

I have the following problem. My dissector needs to rebuild a new tvb. A better description would be, I need to cut out some data and send it to the next dissector.

As Example....

02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
11 11 11 11 11 11 22 22 22 22 22 22 33 33 44 44             I
10 01 00 00 00 aa c2 bc cd ef ed fe 15 18 1d d2
44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44            II
10 01 00 00 00 aa c2 bc cd ef ed fe 15 18 1d d3
....

the first to lines are some other protocol data (my protocol) 11, 22 and 33 are the ethernet header 44 the ip header

what I now need to do is to cut out line I and II, reasamble it an send it to the next dissector (ethernet). I found the solution in building a composite buffer. The real code looks a little bit different but for the data above it would like this.

tvbuff_t *new_tvb;
tvbuff_t *tvb_sub1;
tvbuff_t *tvb_sub2;

new_tvb = tvb_new_composite();


tvb_sub1 = tvb_new_subset(tvb, 32, 16, 16);
tvb_sub2 = tvb_new_subset(tvb, 64, 16, 16);


tvb_composite_append(new_tvb, tvb_sub1);
tvb_composite_append(new_tvb, tvb_sub2);


tvb_composite_finalize(new_tvb);


call_dissector(handle_eth, timing_tvb, pinfo, tree);

The handle_eth is set with

handle_eth = find_dissector("eth");

No the problem…. With Ethernet everything is fine. Then the Ethernet dissector sends it to IP dies because of wrong data. When I look at the data IP gets I see that IP do not get the right data. It should be

  44 44 44 44 44 44 44 44 44 …..

but it is

 44 10 01 00 00 00 aa c2 …..

That shows me that the composite buffer is not working the right way. I found some old mailing lists entries (the newest was 2011) with composite buffer problems.

Do I miss something or they still problems with the composite buffer? Is there another way to do this that I missed?

Thanks Gatherer

EDIT1: fixed the code example after the first reply

EDIT2: I got it running today. But it’s a little bit weared. I post the real code so I can discribe it better. First the code.

  tvbuff_t *timing_tvb;
timing_tvb = tvb_new_composite();


// I need to calculate the amount of sub buffer I need
// tvb size is calculated before
tvbuff_t *tvb_sub[tvb_size/16/2];


guint loopCounter;
loopCounter = 0;
while(tvb_size > 0) {
tvb_sub[loopCounter] = tvb_new_subset(tvb, payload_offset_save, 16, 32);
tvb_size -= 32;
tvb_composite_append(timing_tvb, tvb_sub[loopCounter]);
// this output is just for testpurpose and shows me that I cut the right data
proto_tree_add_item(tree_reportPayload, hf_proto_hsDebugProtocol_payload_data,          tvb_sub[loopCounter], 0, 16, ENC_BIG_ENDIAN);
// check to see if I go trough the while loop right
printf("loopCounter: %d\n", loopCounter);
payload_offset_save += 32;
loopCounter += 1;
}
tvb_composite_finalize(timing_tvb);
// this line had a testpurpose too but here comes the weired part, I explaine this later
// this is my "special line"
proto_tree_add_item(tree_reportPayload, hf_proto_type_payload_data, timing_tvb, 0, -1, ENC_BIG_ENDIAN);
// call Ethernet
call_dissector(data_handle_eth, timing_tvb, pinfo, tree);
  1. When I use the code above it works. I get some strange side effects in column names (e.g. ASSERT erorrs are shown) but its ok. The only problem is that the highligting is completly wrong. The highlighting shows the right amount of bytes but its shown as no cutting happend. E.g. IP shows the right source and destination IP, Port and so on. It’s not pretty but I could live with it.
  2. Now the weared part. If I comment out my special line. The Ethernet dissector works fine and calls the IP dissector but then IP dies and throws ASSERT errors and stop dissecting on different. There are some funny things shown like IP Version: 12 but the data is right (4). Any Ideas?

asked 28 Jan ‘14, 07:45

Gatherer's gravatar image

Gatherer
16447
accept rate: 0%

edited 30 Jan ‘14, 13:16

Just two quick notes: (I hadn’t noticed your update).

  1. I’ve no idea if packet bytes highlighting works properly for composite tvb’s. I’ll have to test that.

Update: Highlighting of the packet bytes based upon a composite buffer doesn’t work (as you noted)in GTK Wireshark. Feel free to file a bug at bugs.wireshark.org. I should note that it’s very unlikely that it will be fixed in GTK Wireshark since the dev Wireshark is now using QT as the GUI library. However, the bug report can serve as a reminder to check if the same problem exists in QT Wireshark.

  1. tvb_new_subset(tvb, payload_offset_save, 16, 32); The ‘32’ as reported length may cause problems; I would try using ‘16’.
(04 Feb ‘14, 08:29) Bill Meier ♦♦

One Answer:

1

  1. I fixed various problems in tvb_composite quite some time back, so it should work (if it hasn't somehow got broken again).

  2. The code you show won't fetch the "I" and "II" as shown. The offsets should be 32 and 64 (not 16 and 48). (I'm assuming that each row has should have 16 bytes, not the 14 bytes shown).

(Possibly your example doesn't match your actual code).

That being said, you can obviously just create a new tvb and then copy portions of the existing tvb to the new tvb.

ISTR tvb_composite goes through some gyrations (and may actually create a tvb with the components) so it may be no worse to just copy the sections into a new tvb.

answered 28 Jan '14, 08:16

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

with the length you are right ... should be 16 byte per line

with the offset you are right too .. thats the problem with writing simple example code .. ;)

what do you mean with copy the code into a new tvb . just with memcpy? Do you have a small example?

(28 Jan '14, 08:25) Gatherer

I use wireshark 1.10.3 ... i can switch to the latest stable if needed

(28 Jan '14, 08:34) Gatherer
1

I take that back :) not quite so "obviously".

buf = <allocate memory for a buf>
tvb_memcpy(tvb, ...);  // copy some data from existing tvb to buf
tvb_memcpy(tvb, ...);  // copy some data from existing tvb to buf

tvb_new = tvb_new_child_real_data(tvb, buf, …)
tvb_set_free_cb(tvb_new,…) // callback to free buf
//  when tvb is free'd

See epan/tvbuff.h for details (especially for tvb_new_child_real_data)

(The above was done quickly so it may not be quite correct).

(28 Jan ‘14, 08:59) Bill Meier ♦♦
1

P.S: I just re-ran the tvbtest diagnostic and it shows no problems with composite buffers; I don’t think there’s a need to update 1.10.3

(28 Jan ‘14, 09:02) Bill Meier ♦♦

I updated my comment

(30 Jan ‘14, 13:16) Gatherer